Goodwill Investigating Possible Credit Card Breach At Stores

Goodwill Industries International Inc. is investigating a possible credit card breach at its retail locations in the U.S.

The Rockville, Md.-based nonprofit said an investigation was launched on Friday when the Secret Service and a payment card industry fraud investigative unit informed it of possible payment card theft at "select" stores. The company has 165 independent operators that manage its 2,900 retail stores stocked with donated clothing and other goods.

"At this point, no breach has been confirmed but an investigation is underway," the organization said in a statement posted Tuesday on its website. "Goodwill Industries International is working with industry contacts and the federal authorities on the investigation."

Goodwill has annual retail sales of $3.79 billion, according to its website. The company said 83 percent of its total revenue is spent directly on its programs.

An FBI memo obtained by Reuters in January warned executives at retailers to expect more breaches, following what appears to be a similar technique repeated against merchant systems. Many of the attacks target point-of-sale systems using memory-scraping malware to harvest credit card information. The spyware uncovered in the Target breach stored the stolen credit and debit card data in a Windows file and uploaded it to a remote location during working hours hiding itself in legitimate traffic to avoid discovery.

Law enforcement are investigating a spate of retail credit card breaches starting with the massive theft of 40 million credit and debit card numbers at retailer Target when thieves struck during the start of its 2013 holiday shopping season. Target CEO Gregg Steinhafel stepped down in May and the retailer continues to deal with fallout from the security incident. Meanwhile, Neiman Marcus said investigators determined up to 350,000 stolen credit and debit card numbers from its stores. Michaels Stores and its subsidiary Aaron Brothers said credit card thieves made off with up to 3 million credit and debit cards. Restaurant chain P.F. Chang's China Bistro is still investigating the extent of a breach at its 211 restaurants.

While the high-profile data breaches are at major chains, the Verizon Data Breach Investigations Report has documented attacks against smaller merchants, including restaurant franchises and hotel chains where businesses tend to have minimal or no IT resources. It also said point-of-sale system attacks are in decline. Small-business owners get lulled into thinking the data breaches are limited to the largest companies and "that is wrongheaded," said Jeremy MacBean, director of business development at IT Weapons, a Brampton, Ontario-based solution provider.

"These guys are phishing for credit card numbers, login credentials and will manipulate people or try to capture passwords and credit card numbers any way they can regardless of the victim," MacBean said in a recent interview. "It literally is a free for all."

Automated attacks probe systems for vulnerabilities that are easy to exploit or remote management software protected with weak and default passwords, according to solution providers. Smaller merchants typically lack the know-how to meet a minimum level of security and apply data protection measures to thwart an attack, said Michael Knight, CTO at Greenville, S.C.-based Encore Technology Group.

"A layered approach will give you the best chance to detect something and potentially get an attacker to move on to an easier target," Knight said.